What to Expect When You’re Expecting a Ransomware Attack

I’m noticing a troubling trend, wherein after a ransomware attack is publicly exposed, sales teams descend upon the victims like a flock of thirsty pigeons offering to “help.” As a PSA, it’s time to say the quiet part out loud: AFTER ransomware has encrypted your data, it’s too late. There is NOTHING any vendor can do unless they are selling a time machine. Unless Google calls to loan you their quantum computer currently levitating near absolute zero temperatures, tell them they cannot help you break the AES-256 cryptography. The time to address a ransomware attack is BEFORE it takes place.

Regular sumo readers (I don’t check sumo stats but can only assume there are millions) might recall that I recently wrote a more comprehensive ransomware article here but there’s no doubt about it, ransomware is on the rise and merits revisiting.  Let’s pull up the manhole cover again and see what new rats are lurking in the ransomware sewers this time, and why network security measures are inadequate.

Since I have written in detail before on this topic, this time I’m going to focus on three topics I believe to be largely misunderstood:

  1. What a typical experience looks like when escaping ransomware jail
  2. Why network security won’t help
  3. Why your current backup is useless

It’s been well-publicized that just a few weeks ago, hospitals started reporting a sharp increase in ransomware attacks. Just this past week, the Wall Street Journal published an article with gruesome details of several attacks on public school systems. While there is no central report to track these attacks, the Journal reports tracking nearly three dozen public school districts that have been attacked since the pandemic began in March, which does not include private schools, colleges or universities. Just this week, school systems in Toledo, Ohio and Athens, Texas have released more details on their attacks and the stories are frightening.

These rancid attacks have increased so fast that two US Senators have recently asked the US Department of Education Secretary to come up with a national response to the growing crisis. The FBI’s answer is not to pay, which is virtuous thought as long as the attack is happening to someone else.

Escaping From Ransomware Jail

I don’t think most people have any idea what it takes to recover encrypted data, even after criminals receive payment and release decryption keys. Imagine you are the IT administrator at a local school system, and you get a call that one of your systems is not responding. You log into the application’s server and see something that looks like this:

Screen-capture of “Maze,” the most common ransomware variant of 2020. Nice, right?

It’s definitely worrisome but you’ve been backing up that server’s data every night. You log into your backup server and notice the backup server’s data is ALSO encrypted.

Now you’re worried. Additional calls start coming in and confirm what you already started to fear- everything is encrypted.

Onward we go to the third stage of grief, bargaining. After a frantic call with your manager, you are instructed to look into what it would take to pay the ransom. You look closer at the scary instructions on the screen.

The friendly instructions say to pay in 7 days or the data decryption keys will be lost forever. Awesome. Ordinarily you could turn around an emergency purchase order in about a week but something tells you these punks won’t extend net-30-day billing terms. A closer inspection confirms that payment must be made in Bitcoin. Dandy. Unsurprisingly the school system did not have a Bitcoin wallet.

The “consultant” your school board hired after you reported the attack has now offered to “help,” which means the consultant will pay in Bitcoin and bill the school system. Whew. It’s been painful but surely now you’re out of the woods, right?

You finally get a list of decryption keys to “unlock” the files. Only, oh no! They aren’t even marked! Now you have to manually match these keys with each server and desktop. This extended downtime was unexpected and costly.

When you do get lucky and find a matching key, you notice another fun surprise- the servers are crashing before the data fully-decrypts. Another fun fact about ransomware is that the data is not decrypted “in-place.” Rather, the recovered data is copied. Many of your servers did not have 50% free space and the disks are filling up.

Adding insult to injury, you were unable to restore several critical systems (approximately 10% of data on average is never recovered). Worst of all, you have no idea how the systems were compromised and now you are understandably worried you might become a repeat customer.

As the school’s IT administrator who recently experienced this first hand, one recent victim blamed himself. “I felt like a complete and total failure,” he said.

Network Security Won’t Help

Modern threats require modern backups. Any good ransomware plan needs to start with a strong backup strategy. Firewalls are great but, as the last line of defense, your backups might be the only thing standing between you and the brutal story we just witnessed.

Cybersecurity has traditionally been network-based. Network security is important, but no firewall or email filter can prevent 100% of attacks. Between email, BYOD policies and work-from-home realities, the attack surface has grown significantly in just the last few months. Think of your firewall as a goaltender. Even the best hockey goalies only prevent approximately 90% of shots from going in. With ubiquitous computing power and automation, the number of ransomware shots is going to continue to climb exponentially. While a shiny new security appliance might be even better than Patrick Roy at preventing ransomware, all it takes is one that gets through and you’re still looking at the same painful outcome. The school systems in Toledo reported that ransomware most likely entered their network after a faculty member left a web meeting open.

This brings me to my point- Networks can only be babyproofed so much. Zoom/WebEx/Teams are a way of life now. There is no practical way to prevent ransomware without severely degrading the user experience or obstructing productivity. A more modern approach can allow for easy protection from ransomware without locking down the user.

In order to assess your ransomware readiness, ask your IT staff some tough questions:

  1. Assuming $1,000/system, how much would we likely have to pay if all our servers were encrypted by ransomware?
  2. Do we have a Bitcoin Wallet?
  3. How long would it take to recover ALL our data from a ransomware attack?
  4. What is keeping someone with YOUR internal access from corrupting/destroying the backups?
  5. Can we easily and routinely test recovering ALL our servers from a ransomware attack?

If Vendors and Networks Can’t Help After an Attack, What Can You Do?

The only way to successfully recover from a ransomware attack is by restoring from a safe, immutable backup copy made BEFORE the data was encrypted. This sounds simple enough. Surely all organizations are backing up their data, right? Actually, classic backup architecture is useless against a modern-day ransomware attack.

Remember that ransomware is a business. The purpose of ransomware is not anarchy through data destruction, but rather to be lucrative. Criminals know backups are an organization’s only chance to avoid paying ransom, so they are actively searching for the backup data in order to encrypt or destroy the backups. Data protection architecture designed before a few years ago (say, 2015ish) are based on windows servers and network shares that are vulnerable to the same ransomware that encrypts as any other system.

The other issue with classic backup is recovery times. Ransomware is designed to create urgency by attaching a time bomb to the decryption keys. In the lucky scenario where your backups weren’t also encrypted, your organization still needs to recover quickly and ensure your backups are valid before time runs out.

Reports indicate that cyber criminals typically charge approximately $1,000 USD/server or desktop system that was encrypted. The more systems the criminals can incapacitate, the more they can charge. This is why ransomware spreads like a virus. This means it’s likely your organization will need to recover all your data. Typical backup architectures were designed prior to ransomware and were designed to restore a small amount of data, like a single lost file or a single corrupt database. If it takes several days to restore and verify systems are up and there is an issue with any of your files, it could be too late to pay ransom and retrieve data.

Your organization may have spent a ton of time and money on that backup software and storage but it’s time to ditch it for something better before it’s too late.

Pure Storage FlashRecover- Why Fast Recovery is the Only Way to Escape Ransomware Jail

Thieves know that backups are an organization’s only chance, so backups are the first thing cybercriminals target. In this age of prolific widespread ransomware attacks, organizations need a new type of backup architecture to address this new form of modern threat.

Pure Storage FlashRecover is a simple, scalable ransomware recovery solution designed to instantly restore all your data from a safe, immutable offline copy with minimal interruptions to IT operations.

FlashRecover is powered by Cohesity, which means the backup data is never exposed to the network like traditional backup architectures. Rather, data is safely kept offline, only accessible via two-factor authentication with safeguards such as DataLock™ which renders backup objects non-deletable. With FlashRecover, you can be sure even your backup administrators could not delete your backup copies, much less a bad guy.

Now let’s talk about how you get your data back. FlashRecover uses FlashBlade’s all-flash, highly parallelized scale-out fast file and object platform for the storage layer. This means recoveries are even faster than the blazing backup speeds. Better yet, the entire solution is designed to leverage “Instant-Mass Restore” to be able to instantly recover thousands of virtual machines or even the largest databases, presented right from the backup storage, without waiting for data migrations. The instant recovery workflow is so fast, customers could easily test a full recovery every day if necessary.


What if your organization was hit by ransomware but didn’t have to worry because your IT team could restore everything instantly from an immutable copy? Network security will never prevent 100% of threats. It’s time for IT teams to upgrade old gear to a platform specifically designed to recover from ransomware. Pure Storage would like to help. Give your account team a call today to hear more about FlashRecover.

Leave a Reply

Your email address will not be published. Required fields are marked *